Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Enabling Trusted Interoperability Tokenization Overview Dave Fortney, The Clearing House [email protected]
September 25, 2014
Chicago Payments Symposium
2 2
PROBLEM STATEMENT: PROLIFERATION OF LIVE CONSUMER PAYMENT CREDENTIALS
Bank issues physical card
Plastic at point of sale
Ecommerce at checkout
Web bill payment
Mobile Apps
Mobile Wallet
Payment Aggregators
Future…
3
TOKENIZATION
3
Typical Attributes of Payments Tokens
Format-preserving for legacy compatibility
Either “dynamic” or “static”; if static, may be combined with a cryptogram
Restricted in scope / not “general purpose”
Can be used live to authorize / clear transactions or after-the-fact to sanitize data stores
Relationship to other technologies
EMV: Protects against card counterfeiting
Point-to-point encryption: Protects data in-flight (e.g., against RAM-sniffing software)
Tokenization: Eliminates use of static account numbers
Tokenization
Substitutes a limited-use random number (secure digital token) for customer’s account numbers so that the sensitive information remains safe. Even if compromised, the token is of limited or no use to cybercriminals
Token Vaults
Bank (or multi-bank) vaults create tokens, perform customer authentication and provision tokens to digital wallets or directories
Tokenization can reduce or even eliminate proliferation of live customer credentials
4
EXAMPLE #1: FIRST DATA TRANSARMOR (WITH ENCRYPTION)
4
Source: EMV and Encryption + Tokenization: A Layered Approach to Security, First Data, 2012
5
EXAMPLE #2: TCH’S UPIC — ACH TOKENS FOR B2B CREDITS
5
Ubiquitous DDA tokenization is a prerequisite for safe and secure faster payments
(100,000)
100,000
300,000
500,000
700,000
900,000
1,100,000
Jan-05 Jan-06 Jan-07 Jan-08 Jan-09 Jan-10 Jan-11 Jan-12 Jan-13 Jan-14
Universal routing number (2nd District)
Tokenized account number
Credit payments only; debits are blocked
Issued and maintained by banks
Portable
Translated to true RT/DDA by TCH
Not supported by FedACH receive points
6
EXAMPLE #3: CARD TOKENIZATION FOR MOBILE AND E-COMMERCE
6
Merchant
Acquirer Card
Networks
No access to customer bank account information
Access to customer bank account information
*token / account exchange
Token Service
Provider Token Vault
eW
mW
Customer
Payment with Token
Bank Issuer
Example: EMVCo Tokenization and TCH’s Secure Token Exchange
Customer Authentication (ID&V)
Token Provisioning)
ID&V
• Acquirers route tokens to credit and debit networks, just as they do today with PANs
• Token Service Provider / Vault could reside at bank, at card network, or at other party such as TCH
7
SOLUTION: SECURE TOKENIZATION PROVIDES BENEFITS TO ALL STAKEHOLDERS, INCLUDING CONSUMERS
7
Sensitive account information is static
Customers provide live bank data to retailers, wallets, alternative payment providers, aggregators, others
Fraud risk increasing as cards upgrade to EMV, and as e-commerce and mobile grow
Confusing and complicated process to maintain and update consumer information across multiple providers when a card is lost, stolen or expired
Today
Customer bank data securely held behind bank firewalls
Consumers don’t need to provide sensitive information to multiple providers
Lower fraud potential in event of data breach or lost/stolen device
Single contact point to update and maintain consumer information
No change in consumer behavior at POS
With Tokenization
U.S. has opportunity to lead the world by rolling out tokenization in conjunction with EMV to protect against card present and card not present fraud
8
STANDARDS-BASED: Establishes clearly defined standards Aligns with regulatory environment and avoids
overlap with existing standards Considers and respects int'l standards as a means of
facilitating interoperability
OPEN: Allows for different business models Fosters innovation Ensures competition among market participants
(e.g., vaulting)
SUSTAINABLE: Creates a path forward to support long-term viability Adapts over time as technology evolves Allows for economically viable business models that
accelerate adoption
SAFE & SECURE: Protects confidential personal, financial, and
transactional information within the mobile and e-commerce payments ecosystem
Facilitates secure interactions
INITIAL FOCUS ON HIGH-RISK USE CASES: Mobile and e-Commerce Supports exception flows, lifecycle management Supports multiple form factors (e.g., NFC, QR codes)
RESPONSIVE TO END USER AND MERCHANT NEEDS: Provides for ease of use, speed, availability, security,
transparency, choice and consistency for users
1.
2.
3.
4.
5.
6.
Six Safety and Soundness Principles
ACHIEVING TOKENIZATION INTEROPERABILITY AND UBIQUITY
9
TOKENIZATION FOR DDA-BASED PAYMENTS AND DIRECTORIES
9
DDA Tokenization could mitigate ACH/Check fraud and encourage wider use of DDA payments by consumers
– Critical as card payments become better secured with EMV, tokenization and encryption
DDA Tokens are also an enabler for DDA directory services
– Directory lookups translate known identifiers into information sufficient to route payments
– Example Directories: P2P, EBIDS/Bill payment, Healthcare payments, B2B
An enabler for future account number portability
“Financial institutions have always been the
stewards of safe and sound payment systems.
As an industry, we want to do what we can to
ensure that privacy and fraud protection are
built into all types of digital payments.”
Richard K. Davis Chairman, President, CEO
U.S. Bancorp Chairman, The Clearing House
Tokenization is an important building block for protecting digital payment streams from cyberattack and enabling trusted interoperability